[Owasp-antisamy] onsiteURL and offsiteURL accept urls withparameters

Jim Manico jim at manico.net
Fri Jun 13 02:22:07 EDT 2008


IMO, AntiSamy should not allow all arbitrary urls. There should at least be hooks to verify urls through malware blacklists like Google's malware blacklist API provides. I would suspect that Slashdot is doing something like this already.

- Jim


-----Original Message-----
From: Arshan Dabirsiaghi <arshan.dabirsiaghi at aspectsecurity.com>
Sent: Thursday, June 12, 2008 6:57 AM
To: Carlos Aguayo <carlos.aguayo at gmail.com>; owasp-antisamy at lists.owasp.org
Subject: Re: [Owasp-antisamy] onsiteURL and offsiteURL accept urls withparameters

There are two reasons why we allow arbitrary HTTP URLs:
It's the Slashdot policy file, so we do exactly what Slashdot does.
That is the point of AntiSamy in general: to allow rich input.
You can lock down a policy file as much as you want, but the more you lock it down, the less useful it is to your users. If you prevent URL parameters from being in a URL, users can't put up a link to a CNN article, or their profile page on a social network, etc.
Hope that helps.
Cheers,
Arshan

From: owasp-antisamy-bounces at lists.owasp.org on behalf of Carlos Aguayo
Sent: Thu 6/12/2008 11:35 AM
To: owasp-antisamy at lists.owasp.org
Subject: [Owasp-antisamy] onsiteURL and offsiteURL accept urls withparameters

Hi,
By default both onsiteURL and offsiteURL accept url with parameters,
for example, the following link:

<a href="http://mysite.com?first=12345&second=34567">click here</a>

would pass using AntiSamy slashdot policy. Ultimately using AntiSamy
an attacked shouldn't be able to dynamically craft th

[The entire original message is not included]
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-antisamy/attachments/20080612/1d90bfa8/attachment-0001.html 


More information about the Owasp-antisamy mailing list